Dear Department of Defence FOI Team,
I seek administratively, but failing that under FOI, summary statistics about privacy complaints made to Defence, and any ancillary information specific to Defence about how Defence handles such privacy complaints if available (I'm interested in how the largest Commonwealth agency, by size and geographical spread, deals with issues arising under the Privacy Act 1988 (Cth), and note from past media reporting, issues relating to privacy have been covered).
If not able to be accessed administratively, then I seek under s 17 of the FOI a discrete statistical summary of all privacy complaints made over the last four financial years (and the current financial year to date), how many were dismissed, and how many were upheld.
If you have any details on the costs of administrating Defence's privacy handling functions, any training or other resources directly part of this function, or anything else you think would be helpful, it would be appreciated.
Some agencies put this information in their Annual Report, but I couldn't find any privacy commentary in yours.
Thank you for your email. Your email has been forwarded for consideration/action.
Thank you for your email of 15 June 2017 in which you sought access to information regarding "Privacy Complaint Statistics for the Department of Defence". The information attached to this email has been released to you administratively outside of the Freedom of Information Act.
If you require any further assistance please do not hesitate to contact our office on (02)6266 2200.
It appears Defence have misunderstood my request. The supplied information - which is the number of privacy complaints made about Defence to the Office of the Australian Information Commissioner (OAIC) - is a subset of what was asked, which was the number of privacy complaints made to Defence (not all privacy complaints made to Defence will be later referred to the OAIC).
This FOI remains extant, and I again ask Defence to satisfy the request as made.
Good morning Ms Pane
Please see below Defence's response to your inquiry.
In Defence, all complaints including privacy complaints should be raised at the lowest appropriate level in the first instance. Complaints raised soon after the incident are more likely to be quickly resolved. Similarly complaints should be made to local commander/managers as they are the individual/s best able to investigate and provide a remedy/outcome to the situation.
Defence personnel who have concerns regarding the collection, use or disclosure of their personal information are advised to contact the unit or directorate where they believe the breach occurred. If Defence personnel are dissatisfied with the local handling or outcome of their privacy complaint they can access internal review mechanisms - Redress of Grievance for Australian Defence Force members and Review of Actions for Australian Public Service employees. Individuals (including ex-members/ex-employees and members of the public) can also complain directly to the Defence Privacy Office.
The Defence complaint handling principles (listed in Chapter 1 Part 3 of the Complaints and Alternative Resolution Manual (CARM)) and Annex D of Defence Instruction (General) Personnel 35-3 -Management and reporting of unacceptable behaviour provide commanders and managers with general principles and guidance for managing privacy complaints. Complainants and commander/managers can also obtain information and advice from the Defence Privacy Intranet site which includes a Privacy Toolbox and the Privacy Knowledge Site - which also provides the information component of the Australian Privacy Principles: eAssessment course.
In managing complaints, which have been received, the Defence Privacy Office may refer the matter for local management and a decision. Where the Defence Privacy Office undertakes the complaint management function they will review the complaint, gather information from the area responsible, compare with relevant Australian Privacy Principle/s and then provide the complainant with a decision and if appropriate a remedy. Any decision provided to a complainant will include information about their option to make further complaint to the Office of the Australian Information Commissioner.
Defence does not maintain a central register of locally managed privacy concerns/complaints. Complaints received by the Defence Privacy Office have been recorded in the Complaints Management, Reporting and Tracking System (ComTrack) since 2014. The Defence Privacy Office is also the Defence point of contact for complaint investigations undertaken by the Office of the Australian Information Commissioner.
The privacy complaints received by the Defence Privacy Office by calendar year since 2014 are as detailed in the attached. Complaints made by multiple individuals about the same alleged incident are recorded as one complaint.
FOI Case Officer
Information Management and Access
Governance and Reform Division
Department of Defence | CP1-6-003| PO Box 7910 | Canberra BC ACT 2610 | (02) 6266 3948| Email [email address]
Thank you for your response (although I am unsure why a copy of the Unacceptable Behaviour Defence Instruction was included, given it has no relevance to the FOI scope), while it provided only part of the information sought (due to Defence choosing not to collect information on formal privacy complaints made locally), it nevertheless provides some insight based on the partial reporting provided (and is more useful than the already publicly available OAIC statistics about privacy complaints made to them, about Defence).
You mentioned an eLearning course Defence has on the Australian Privacy Principles, which is of interest, as I am also looking at what agencies are doing in the training side. I will file a new request about that separately, and indicate that I would be interesting in finding out more about that side of Defence's privacy management (as the largest agency in the Commonwealth portfolio, Defence makes a good case study example).